Azure Container Registry: Identity, OCI Artifacts, Geo-Replication, and Governance
A production operating model for ACR authentication, repository permissions, digests, scanning integrations, retention, private networking, and global replicas.
Azure Container Registry is a private registry for OCI container images and related artifacts. The registry is a security boundary; repositories organize content within it. Microsoft Entra identities, managed identities, service principals, and repository-scoped tokens cover different automation and delegation needs. Prefer short-lived or managed identity over the registry admin account.
Artifact identity and promotion
Tags are convenient release names but can be reassigned. Digests identify content. A sound promotion pipeline builds once, records the digest and SBOM, evaluates policy, then promotes that same artifact rather than rebuilding source independently for each environment. Tag locking and repository permissions reduce accidental movement.
Networking and authorization
Azure RBAC and the registry’s supported repository permission model should separate readers, writers, and administrators. Private Link and firewall rules can constrain network paths, but agents and clusters still need working DNS and token endpoints. AKS can pull through a managed identity integration; verify the exact role assignment rather than distributing Docker credentials.
Replication, retention, and security
Premium geo-replication presents a global registry endpoint and synchronizes content to writable replicas with eventual consistency. It improves locality but adds replicated storage and transfer costs, and a newly pushed artifact may not be present everywhere immediately. Retention and purge automation must protect deployed digests. Defender and other scanners provide findings; signing/provenance policy must evolve with Microsoft’s current Notary guidance rather than relying on a deprecated trust mechanism indefinitely.
Operational checks
Measure pull latency, throttling, failed authorization, replication lag, storage growth, and vulnerable artifacts. Test restore and region-outage behavior. A registry is part of the production supply chain: losing a manifest, key, or permission can block deployment just as effectively as losing source code.
Sources: Azure Container Registry concepts, ACR geo-replication, ACR authentication overview